Web Hosting Talk






PDA

View Full Version : SSL Newb... Need some 101

RPK_MN1
09-13-2008, 03:51 PM
Ok,
I'm working on my first site where I have to implement the SSL key stuff myself.

It seems that I'm a little more clueless than most of the sites I've been able to find assume :)

I'm working in ASP.net, if that makes a difference. I understand the concept of public and private keys from my days of working with PGP and the creation/certifcation process for the keys seems straight forward enough.

what I'm confused about is how to "selectively" use SSL. It seems to me that most e-commerce sites (which is what I'm building) allow you to browse the store on a non-SSL encrypted basis. Once you want to login, it's suddenly using SSL.

I guess what I'm confused about is how they seem to be able to not use SSL until you're ready to sign in. Is it possible to assign a key to only one subdirectory of your site?
Burhan
09-13-2008, 04:47 PM
SSL certificates are installed for a FQDN (hostname). They are not "linked" to a directory. The primary purpose of a SSL certificate is to verify the host, therefore the SSL certificate is tied to a hostname + server.

To initiate a secure connection, a handshake process is initiated by the client (the web browser). To start this process, the clients sends a request to the https URL (technically, the https is called the scheme). The server recognizes this request (since https runs on a different port), and replies back with its credentials (the SSL certificate). The client then verifies the certificate (is it expired? does it match the hostname that I sent the request to? is it from a certification authority I recognize?) and then decides to trust the server and initiate a connection across a secure tunnel.

That's the Cliff Notes(R) version of how SSL works, if you are interested in the technical details (that can get a bit dry), I would suggest you Google TLS.

Anyway, for the programming part, you really don't have to do anything. The server -- if it is configured correctly -- will serve files over the https connection using the encrypted channel. If you want to force https for a particular file -- in order words, this file should not be accessed via http, then you can put this rule in your code.

I'm not a ASP.NET guy, but I believe Request.Url.Scheme is what you want to check.

Hope this helps.